search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.73k stars 463 forks source link

printkey recurse option broken #18

Closed gleeda closed 6 years ago

gleeda commented 6 years ago

Something, is broken in the way that we are recursing registry keys. I'm not sure if it's the recursion itself, or just the way the registry key path is appended just yet. For example:

2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT    Select      False
    2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT    Setup       False
    2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT    Software        False
    2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT    WPA     False

I remember hitting something similar to this with vol2. In that case it was because we were blindly following pointers, and sometimes they are corrupt and might be circular.

ikelos commented 6 years ago

I'm having difficulty recreating this. Is the image you're using available for testing (can you put them on the volatility test boxes?). I've been through 3 or 4 different images and none of them appear to have self-referential keys under ControlSet001\Control\Arbiters. I've been using the system hive, unless it's under a different hive?

gleeda commented 6 years ago

It was from the system hive from this memory sample:

http://buildbot.volatilityfoundation.org/volatility3/images/download/

ikelos commented 6 years ago

This should be resolved now. I extended the get_key method to return a node list, and if we've ever seen it in that list we don't traverse it again (basic loop avoidance). It might add a memory hit and potential speed hit for very deep or broad key recursion (such as classes or something very far down the tree), but we'll need to experiment to see how bad that is...